Hackers are playing a 'cat-and-mouse game' with the IRS — and doing an 'amazingly' good job at stealing your tax returns

A
German federal law-enforcement officer takes digital fingerprints
of an illegal immigrant at a police station in Munich central
railway station, November 14, 2014.REUTERS/Michaela Rehle

The Internal Revenue Service (IRS) is warning consumers of a
“surge” in email-fraud schemes this tax-filing season.

Scammers send out emails that
look to be official IRS correspondence, hoping to infect victims
with malicious attachments or collect personal information that
could be used for identity theft and financial gain.

In anIRS press
release, the agency
noted that the number of reported phishing and malware schemes
had increased fourfold from 254 reports in January 2015 to 1026
in January 2016.

Similarly, from February 1 to
February 16 this year, 363 incidents were reported, compared to
201 for the full month of February 2015.

In aggregate, the 1,389 reported
incidents for the first month and a half of 2016 have already
topped the 1,361 incidents for all of 2014.

It doesn’t take a very
sophisticated attack for scammers to make a lot of money off of a
stolen identity.

A“60 Minutes”
investigationfound
that all an attacker needs to file a tax return — claiming
refunds on the victim’s behalf — is a social-security number and
date of birth.

“I could wake up in the comfort
of my own home, and just get on a laptop, do about 15 returns a
day,” one scammer told “60 Minutes.” “Fifteen times $3,000 a
return, that's $45,000 a day.”

'A cat-and-mouse game'

As the IRS implements new
security measures, attackers develop new schemes to overcome
them. The new requirement for taxpayers to provide a driver’s
license number for some state filings could easily prompt
attackers to develop new phishing emails to trick victims into
providing the number, or else to seek out as hacking targets
other locations where that information might be stored.

“There’s a cat-and-mouse game,”
says Chris Hadnagy, CEO and founder of Social-Engineer, Inc., a
company that does what he describes as security-penetration
testing for humans rather than computers.

One of the
emails.State
Department

While he is quick to note that the IRS is making an effort by
requiring more information of taxpayers, Hadnagy doesn’t see a
solution in increased authentication alone: He stresses education
and awareness.

“The question of ‘Is there a
technical fix?’ There’s not. ... There’s no plugin, there’s no
attachment, there’s no little box you can stick on your network
and — bam — you’re safe from phishing.”

'Phishing scams work amazingly well'

Victims have to be aware of an
always-evolving landscape of threats: Sophisticated attackers
combine false text messages and phone calls and
even make automated attacks on the IRS' security
measures. Meanwhile,
Hadnagy says that many people aren't even aware that scam emails
impersonating the IRS or Paypal exist at all.

But the IRS' user base is the
entire taxpaying public, making education more challenging than
it might be for a business. As a result, scammers have been
seeing large returns.

Simply put, phishing scams work
"amazingly well," Hadnagy says.

Vast sums of taxpayer money are
being refunded to criminals by way of fraudulent returns made
with stolen information. According to aGAO report citing the IRS' own
estimates, the IRS
prevented or recovered the payment of $24.2 billion in fraudulent
refunds in 2013, but paid $5.8 billion in what it determined were
fraudulent returns.

As the prevalence of fraud
attempts increases, the IRS' ability to keep taxpayer money out
of the hands of fraudsters seems to be weakening. Compared to
$24.2 billion withheld from scammers in 2013, the IRS stopped
only $8.7 billion across 1.4 million “confirmed identity theft
returns” in 2015.

The large discrepancy may come in
part as a result of more conservative calculations on the part of
the IRS — the GAO report criticized assumptions made in the IRS'
cost-estimation process.

A
phishing email can contain a malicious
attachment.SecurityMetrics

Unfortunately, false tax returns are only one way scammers
escalate phishing attacks into profit. Stolen credentials can
easily be used to gain access to sensitive accounts, especially
when passwords are reused.

A
recent study using a fake online personawith Google credentials leaked to the dark
web found that 94% of hackers who accessed the Google account
found the "victim's" other online accounts and tried to log into
a false bank web portal set up for the experiment.

Hadnagy urges those who feel they
may have given their information to scammers tochange their passwords, especially for accounts sharing a
compromised password, andnot to forward on
suspicious emails, even
to ask for a second opinion: Doing so only increases the chance
of spreading the attack.

Additionally, those who receive
phone calls supposedly from the IRS shouldlook up
their local IRS office and callthatnumberto look into a suspicious call’s
claims rather than calling back a number that may belong to a
scammer.

In severe cases, victims can call
the major credit agencies to get a temporary freeze put on their
credit score; they can even potentially beissued a new
SSN.

“What it really boils down to,"
says Hadnagy, "is critical thinking and taking the effort to be
secure.”